Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSM-SSL, can't import certificate

All:

This is driving me bloody crazy...

So we have a number of certificates that we have exported from an ACE module and need to have imported to these CSM-SSL modules.  Problem is, I can't for the life of me get it to accept the keys.  It continually gives me "Invalid PEM Header"...

Has anyone encountered this?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: CSM-SSL, can't import certificate

Hey Buddy,

My best guess according to your description is that the keys on your ACE modules were uploaded in the decrypted format, CSM-S or SSLM will only accept encrypted keys.

You can encrypt the key using OpenSSL, just copy the text into a notepad and put it into the bin folder (C:/OpenSSL/bin) and encrypt it using this command:

OpenSSL> rsa -in decrypted_key.pem -out encrypted_key.pem -des3

New encrypted key should be found within  the same folder.

HTH

__ __

Pablo

Cisco Employee

Re: CSM-SSL, can't import certificate

Hmmm weird,

Are you using the quit command after copying/pasting public and private key?

SSLM-1(config)#crypto key import rsa Mykey general-purpose exportable terminal


% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.


-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEdkj*ajknJKLD+-FS
IVqL+K2woD9VI+XX97fOrAvJdESj/o9VpUhuRSKm3CQAVTec8ymJPcv+6tjuOgf2
1/uGnNKV4xsIV/3GUQIDAQAB
-----END PUBLIC KEY-----


quit


% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.


-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B4E43A7E35A05EBD
qARvas9eklaxZhmlBTWNr86GM+w3+DSrnJP5ZsEMR9tvSX76LKUXL8hJjeXeL+Xu
NZacCeGgFs8jZdTZSrUxi7F+W+ruMyp3cfInp5jkg38PsqgcEeQNYEL570ya5jji
EQyiN+KygjRU0ZmFbRgxHkxJUdhyl0xMLOuNQYFZs2WTBBxoqQSa+A==
-----END RSA PRIVATE KEY-----


quit


% Key pair import succeeded.

5 REPLIES
Cisco Employee

Re: CSM-SSL, can't import certificate

Hey Buddy,

My best guess according to your description is that the keys on your ACE modules were uploaded in the decrypted format, CSM-S or SSLM will only accept encrypted keys.

You can encrypt the key using OpenSSL, just copy the text into a notepad and put it into the bin folder (C:/OpenSSL/bin) and encrypt it using this command:

OpenSSL> rsa -in decrypted_key.pem -out encrypted_key.pem -des3

New encrypted key should be found within  the same folder.

HTH

__ __

Pablo

New Member

Re: CSM-SSL, can't import certificate

Thanks... that's what I'd kind of thought before, and had used openssl to encrypt (3des) the key and tried it before, and then it gave me "Invalid PEM Boundary"....

Any thoughts?

Cisco Employee

Re: CSM-SSL, can't import certificate

Hmmm weird,

Are you using the quit command after copying/pasting public and private key?

SSLM-1(config)#crypto key import rsa Mykey general-purpose exportable terminal


% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.


-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEdkj*ajknJKLD+-FS
IVqL+K2woD9VI+XX97fOrAvJdESj/o9VpUhuRSKm3CQAVTec8ymJPcv+6tjuOgf2
1/uGnNKV4xsIV/3GUQIDAQAB
-----END PUBLIC KEY-----


quit


% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.


-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B4E43A7E35A05EBD
qARvas9eklaxZhmlBTWNr86GM+w3+DSrnJP5ZsEMR9tvSX76LKUXL8hJjeXeL+Xu
NZacCeGgFs8jZdTZSrUxi7F+W+ruMyp3cfInp5jkg38PsqgcEeQNYEL570ya5jji
EQyiN+KygjRU0ZmFbRgxHkxJUdhyl0xMLOuNQYFZs2WTBBxoqQSa+A==
-----END RSA PRIVATE KEY-----


quit


% Key pair import succeeded.

New Member

Re: CSM-SSL, can't import certificate

Hey... thanks... you know, I was just doing it incorrectly.

Was trying to import via:

crypto ca import MyCert pem terminal "password"

Thanks for all your help... you know even CISCO TAC case has been open for about 2 weeks (was just escalated to me today)... they should've caught this... but I'm used to it, which is why I posted here..

THANKS AGAIN!!!

Cisco Employee

Re: CSM-SSL, can't import certificate

Awesome! Glad to be of help =)

Have a good one!

__ __

Pablo

1645
Views
0
Helpful
5
Replies
CreatePlease to create content